Skill 4.1: Prepare on-premises Active Directory for Azure AD Connect

  • 11/7/2017

Azure Active Directory Connect is Microsoft’s replacement for DirSync and Azure Active Directory Sync tools. In Skill 4.1 from Exam Ref 70-346 Managing Office 365 Identities and Requirements, 2nd Edition, explore how to prepare your on-premises Active Directory environment for synchronization of user accounts, group accounts, and more.

This skill deals with preparing your on-premises Active Directory environment for synchronization of user accounts, group accounts, and mail-enabled contacts to the Azure Active Directory instance that supports the Office 365 tenancy. To master this skill, you’ll need to understand the different Active Directory synchronization tools, the steps needed to prepare an on-premises Active Directory instance for Azure AD Connect, what to do if your on-premises Active Directory uses a non-routable domain name, what to think about when it comes to planning filtering of user account objects for synchronization, and what to do if you have a multiple forest environment.

Azure Active Directory Connect

Azure Active Directory Connect is Microsoft’s replacement for DirSync and Azure Active Directory Sync tools. Azure AD Connect is designed to streamline the process of configuring connections between on-premises deployment. Rather than perform some of the complex tasks outlined in this chapter and the next, the Azure Active Directory Connect tool is designed to make the process of configuring synchronization between an on-premises Active Directory deployment and Azure Active Directory as frictionless as possible.

Azure Active Directory Connect can automatically configure and install simple password synchronization or Federation / Single Sign-on, depending on your organizational needs. When you choose the Federation with AD FS option, Active Directory Federation Services is installed and configured, as well as a Web Application Proxy server to facilitate communication between the on-premises AD FS deployment and Microsoft Azure Active Directory.

The Azure Active Directory Connect tool supports the following optional features, as shown in Figure 4-1:

  • Exchange hybrid deployment This option is suitable for organizations that have an Office 365 deployment where there are mailboxes hosted both on-premises and in the cloud.

  • Exchange mail public folders This feature allows organizations to synchronize mail-enabled public folder objects from an on-premises Active Directory environment to Office 365.

  • Azure AD app and attribute filtering Selecting this option gives you the ability to be more selective about which attributes are synchronized between the on-premises environment and Azure AD.

  • Password synchronization Synchronizes a hash of the user’s on-premises password Azure AD. When the user authenticates to Azure AD, the submitted password is hashed using the same process and if the hashes match, the user is authenticated. Each time the user updates their password on-premises, the updated password hash synchronizes to Azure AD.

  • Password writeback Password writeback allows users to change their passwords in the cloud and have the changed password written back to the on-premises Active Directory instance.

  • Group writeback Changes made to groups in Azure AD are written back to the on-premises AD instance.

  • Device writeback Information about devices registered by the user in Azure AD is written back to the on-premises AD instance.

  • Directory extension attribute sync Allows you to extend Azure AD schema based on extensions made to your organization’s on-premises Active Directory instance.

04fig01.jpg

FIGURE 4-1 Azure Active Directory Connect optional features